I'm hesitant to say because I don't want Vijay to treat this as advice on the "right" way to determine which page included his plug-in. The approach of trying to read the document's location via JavaScript is fundamentally insecure.
That being said, my understanding is that Flash examines the location property of the window object and not the document object. Note that simply making this change to the below is *not* sufficient for security. Adam On Tue, Jun 9, 2009 at 1:30 AM, John Abd-El-Malek<j...@chromium.org> wrote: > My question to you is what you see Flash doing. I pasted below what I > observed by looking at their NPN calls. > > On Tue, Jun 9, 2009 at 5:23 PM, Adam Barth <aba...@chromium.org> wrote: >> >> Here's a demo of an attack that works in Chrome: >> >> http://webblaze.org/abarth/tests/document-location/ >> >> Flash does something similar, but not *precisely* what Vijay proposed. >> This approach is extremely fragile. If you require this value to >> make a security decision, I recommend a different approach (as I have >> now stated multiple times). >> >> Adam >> >> >> On Tue, Jun 9, 2009 at 1:16 AM, John Abd-El-Malek<j...@chromium.org> wrote: >> > I was referring to what I sniffed in IPC traffic: >> > NPN_GetProperty is called on "location" >> > and the returned object is NPN_Invoke'd to call "toString" >> > Isn't this what you mean? If you observed something else, we should >> > figure >> > out what the discrepancy is! >> > On Tue, Jun 9, 2009 at 3:36 PM, Adam Barth <aba...@chromium.org> wrote: >> >> >> >> Flash does something similar, but not *precisely* the same. I stand >> >> by my statement that the below is insecure. >> >> >> >> Adam >> >> >> >> >> >> On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<j...@chromium.org> >> >> wrote: >> >> > BTW this is how Flash does it. >> >> > >> >> > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <aba...@chromium.org> >> >> > wrote: >> >> >> >> >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<tec...@gmail.com> wrote: >> >> >> > We used to use NPN_GetURL with "javascript:document.location" as >> >> >> > the >> >> >> > URL. In the current implementation, after this script is executed >> >> >> > in >> >> >> > WebPluginImpl::ExecuteScript (in >> >> >> > src/webkit/glue/webplugin_impl.cc), >> >> >> > its checking the result value: >> >> >> >> >> >> This is not a secure way to determine which page embedded the >> >> >> plug-in. >> >> >> If you require this value to make a security decision, you should >> >> >> use >> >> >> a different approach. >> >> >> >> >> >> Adam >> >> >> >> >> >> >> >> >> >> >> > >> >> > >> > >> > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
